Helix StudioGenome IDE
← Docs
Helix CLI docs
Browse Helix CLI docs

External Attestation (third-party verification)

Goal: let a neutral party reproduce one Helix conformance pack and publish a signed result. This is a credibility artifact, not a product feature.

Minimal flow for an external lab/auditor

  1. Download the repo or release artifacts plus repro/helix_repro_bundle_v1.
  2. Install Helix (release build) in a clean env: python -m venv /tmp/helix-attest && . /tmp/helix-attest/bin/activate && pip install helix-governance[viz,schema].
  3. Run the conformance pack: ./tools/conformance.sh (or python tools/conformance.sh on Windows).
  4. Capture outputs: conformance.log, pytest.xml (if -q --junitxml is added), SHA256SUMS.txt for artifacts, and the environment fingerprint (python -V, uname -a).
  5. Publish a signed attestation bundle (zip): log + hashes + SBOM of the installed wheel (syft helix-governance -o spdx-json).

Suggested template for published attestation

  • Who ran it (organization + contact)
  • Helix version and commit/tag
  • Platform (OS/CPU/GPU), Python version
  • Command run, start/end time (optional)
  • PASS/FAIL summary per test
  • Hashes of all emitted files
  • Signature (GPG) over the zip or a detached signature over the hash list

Where to stash attestations

  • Repo path: attestations/<tag>/<org>-conformance.zip (add to .gitignore if large) or attach to GitHub Releases.
  • Reference the attestation in CHANGELOG.md for that tag.

Notes

  • Keep the pack small to make attestation cheap; use the D0/D1 conformance runner by default.
  • External attestation should be repeatable offline once artifacts are downloaded.
  • If an attestation fails, file it via SECURITY.md channels and publish remediation once fixed.